A Proposal for Broad Spectrum Proof Certificates - LIX-polytechnique
A Proposal for Broad Spectrum Proof Certificates Dale Miller ´ INRIA-Saclay & LIX, Ecole Polytechnique Palaiseau, France
Certified Programs and Proofs, 7 December 2011
Can we standardize, communicate, and trust formal proofs?
First, we narrow our topic Proofs are documents that are used to communicate trust within a community of agents (humans and machines). Proof certificates are documents that should denote proofs. Our focus today: 1. Publishing and checking formal proofs by computer agents 2. Separate proofs from provenance. 3. Flexible certificate vs simple checkers Not our focus today: 1. Humans and proofs: learning and interacting with proofs 2. Do I have the right theorem? 3. etc.
Outline
Four desiderata for proof certificates
More specifics about logic, computation, and proof
The technical bits: Focused proof systems
Outline
Four desiderata for proof certificates
More specifics about logic, computation, and proof
The technical bits: Focused proof systems
D1: A simple checker can, in principle, check if a proof certificate denotes a proof. The de Bruijn’s principle: provers should output proofs that can be checked by simple checkers. Here “simple” might mean that the checker can be independently validated (eg, by hand).
D1: A simple checker can, in principle, check if a proof certificate denotes a proof. The de Bruijn’s principle: provers should output proofs that can be checked by simple checkers. Here “simple” might mean that the checker can be independently validated (eg, by hand). “Everything should be made as simple as possible, but not one bit simpler.” -A. Einstein Ultimately, I will argue that proof certificates will be programs and a checker will be an interpreter for such programs.
D2: The proof certificate format supports a broad spectrum of proof systems.
One should not need to radically transform accumulated proof evidence in order to output a proof certificate. Clearly, there is a tension between D1 and D2. Consider the following additional consequences of these two desiderata.
Marketplaces for proofs The ACME company needs a formal proof for its next generation of controllers for airplanes, electric cars, medical equipment, etc. ACME submits to the “proofs” marketplace a proposed theorem as a proof certificate with a “hole” for its actual proof. The contract: You get paid if you can fill the hole in such a way that ACME can check it.
This marketplace would be open: anyone using any combination of deduction engines would be able to compete and/or cooperate.
Marketplaces for proofs The ACME company needs a formal proof for its next generation of controllers for airplanes, electric cars, medical equipment, etc. ACME submits to the “proofs” marketplace a proposed theorem as a proof certificate with a “hole” for its actual proof. The contract: You get paid if you can fill the hole in such a way that ACME can check it.
This marketplace would be open: anyone using any combination of deduction engines would be able to compete and/or cooperate. Both partial proofs or counter-examples should also have economic value and be included in a general setting of “proof certificates”.
Libraries of proofs Proof certificates can be archived, searched, and retrieved. Additionally, one might be able to browse, apply, and transform them. One might trust the authority behind the library. Libraries might invest in significant computing power, thus expanding the proof certificates that they can check. A library has strong motivations to be careful: accepting a non-proof puts their entire library and accumulative trust at risk.
D3: A proof certificate is intended to denote a proof in the sense of structural proof theory. Structural proof theory is a mature field that deals with deep aspects of proofs and their properties.
For example: given certificates for ∀x(A(x) ⊃ ∃y B(x, y )) and A(10), can we extract from them a t such that B(10, t) holds? Such proofs can also be considered immortal.
D4: A proof certificate can simply leave out details of the intended proof. Formal proofs are often huge. All means to reduce their size need to be available. • Introductions of abstractions and lemma. • Separate computation from deduction and leave computation traces out of the certificate. • Allow trade-offs between proof size and proof reconstruction: (bounded) proof search maybe need to fill in holes. This desideratum leads to strong demands on the nature of proof certificates. • What bound on search is sensible? • How to ensure that such search is sensibly directed?
Outline
Four desiderata for proof certificates
More specifics about logic, computation, and proof
The technical bits: Focused proof systems
Which logic? First-order or higher-order?
Which logic? First-order or higher-order? Both! Higher-order (`a la Church 1940) seems a good choice since it includes propositional and first-order.
Which logic? First-order or higher-order? Both! Higher-order (`a la Church 1940) seems a good choice since it includes propositional and first-order. Classical or intuitionistic logic?
Which logic? First-order or higher-order? Both! Higher-order (`a la Church 1940) seems a good choice since it includes propositional and first-order. Classical or intuitionistic logic? Both! Imagine that these two logics fit together in one larger logic. Following Gentzen (LK/LJ), Girard (LU) and, recently, Liang & M.
Which logic? First-order or higher-order? Both! Higher-order (`a la Church 1940) seems a good choice since it includes propositional and first-order. Classical or intuitionistic logic? Both! Imagine that these two logics fit together in one larger logic. Following Gentzen (LK/LJ), Girard (LU) and, recently, Liang & M. Modal, temporal, spatial? I leave these out for now. There is likely to always be a frontier that does not fit. (However, the syntax of modal operators fits well with Church’s logic and their semantics can similarly be encoded.)
Which computation paradigm? Proof certificates need to be performed and gaps must be reconstructed Checking can be computationally expensive. Computation should be broad spectrum as well: should be • non-deterministic, since determinism is a special case; • concurrent, since sequential is a special case; and • relational, since functions are a special case. Logic programming might be a good candidate.
Which proof system?
There are numerous, well studied proof systems: natural deduction, sequent, tableaux, resolution, etc. Many others are clearly proof-like: tables (in model checking), winning strategies (in game playing), etc. Other: certificates for primality, etc. We wish to capture all of these proof objects. Of course, handling so many proof formats might make for a terribly complex proof checker.
Atoms and molecules of inference How can we address all of these demands on certificates? There are atoms of inference. • Gentzen’s sequent calculus first provided these: introduction and structural rules. • Girard’s linear logic refined our understanding of these further. • To account for first-order structure, we also need fixed points and equality. We can define molecules of inference. • There are “rules of chemistry” for assembling atoms of inference into molecules of inference (“synthetic inference rules”).
Satisfying the desiderata D1: Simple checkers. Only the atoms of inference and the rules of chemistry (both small and closed sets) need to be implemented in the checker. D2: Certificates supports a wide range of proof systems. The molecules of inference can be engineered into a wide range of existing inference rules. D3: Certificates are based on proof theory. Immediate by design. D4: Details can be elided. Proof search in the space of atoms can match proof search in the space of molecules. (Don’t invent new molecules in the checker!)
Outline
Four desiderata for proof certificates
More specifics about logic, computation, and proof
The technical bits: Focused proof systems
Focused proof systems Consider a one-side sequent calculus system for classical logic. Two invertible introduction inference rules: ` ∆, B1 , B2 ` ∆, B1 ∨ B2
` ∆, B[y /x] ` ∆, ∀xB
The inference rules for their de Morgan duals (not invertible): ` ∆, B[t/x] ` ∆, ∃xB
` ∆1 , B1 ` ∆2 , B2 ` ∆1 , ∆2 , B1 ∧ B2
Focused proofs are built in two phases: • the “up arrow” ⇑ phase where one only has invertible rules • the “down arrow” ⇓ phase where one has (not-necessarily) invertible rules
LKF : (multi)focused proof systems for classical logic
` Θ ⇑ Γ, t −
` Θ ⇓ t+
` Θ ⇑ Γ, A ` Θ ⇑ Γ, B ` Θ ⇑ Γ, A ∧− B
`Θ⇑Γ ` Θ ⇑ Γ, f −
` Θ ⇓ Γ1 , B1 ` Θ ⇓ Γ2 , B2 ` Θ ⇓ Γ1 , Γ2 , B1 ∧+ B2
Init ` ¬Pa , Θ ⇓ Pa
Store ` Θ, C ⇑ Γ ` Θ ⇑ Γ, C
Release `Θ⇑N `Θ⇓N
` Θ ⇑ Γ, A, B ` Θ ⇑ Γ, A ∨− B
` Θ ⇓ Γ, Bi ` Θ ⇓ Γ, B1 ∨+ B2 Decide ` P, Θ ⇓ P ` P, Θ ⇑ ·
P multiset of positives; N multiset of negatives; Pa positive literal; C positive formula or negative literal
Results about LKF ˆ result from B by Let B be a propositional logic formula and let B placing + or − on t, f , ∧, and ∨ (there are exponentially many such placements). ˆ has an LKF proof. Theorem. B is a tautology if and only if B [Liang & M, TCS 2009] Thus the different polarizations do not change provability but can radically change the proofs. Observe: • Negative (non-atomic) formulas are treated linearly (never weakened nor contracted). • Only positive formulas are contracted (in the Decide rule).
An example Assume that Θ contains a ∧+ b ∧+ ¬c. Atoms are assumed to be positive. ` Θ, ¬c ⇑ · ` Θ ⇑ ¬c Init Init Release `Θ⇓a `Θ⇓b ` Θ ⇓ ¬c and ` Θ ⇓ a ∧+ b ∧+ ¬c Decide `Θ⇑· This derivation is possible iff Θ is of the form ¬a, ¬b, Θ0 . Thus, the “macro-rule” is ` ¬a, ¬b, ¬c, Θ0 ⇑ · ` ¬a, ¬b, Θ0 ⇑ ·
A certificates for propositional logic: compute CNF Use ∧− and ∨− . Their introduction rules are invertible. The bottom-most “macro-rule” is huge, having all the clauses in the conjunctive normal form of B as premises.
...
Init ` L1 , . . . , Ln ⇓ Li Decide ` L1 , . . . , Ln ⇑ · .. . `·⇑B
...
The proof certificate can specify the complementary literals for each premise or it can ask the checker to search for them. Such proof certificates are tiny but require exponential time for checking.
Positive connectives allow for inserting information Let B have several alternations of conjunctions and disjunctions. The tautology C = (p ∨+ B) ∨+ ¬p has a huge proof using invertible connectives. The “clever proof” uses positive connectives. ` C , ¬p ⇓ p ∗ ` C , ¬p ⇓ C Decide ` C , ¬p ⇑ · ` C ⇑ ¬p ` C ⇓ ¬p ∗ `C ⇓C Decide `C ⇑· `·⇑C Clever choices ∗ are injected twice. The subformula B is avoided.
First-order terms and their structure ` Θ ⇓ Γ, A[t/x] ` Θ ⇓ Γ, ∃x A
` Θ ⇑ Γ, A[y /x] § ` Θ ⇑ Γ, ∀x A § y is not free in the lower sequent `Θ⇓t =t
` Θ ⇑ Γ, s 6= t
‡ s and t are not unifiable. ` Θ ⇑ Γ, B(νB)¯t ` Θ ⇑ Γ, νB ¯t
‡
` Θσ ⇑ Γσ † ` Θ ⇑ Γ, s 6= t
† s and t have mgu σ. ` Θ ⇓ Γ, B(µB)¯t ` Θ ⇓ Γ, µB ¯t
B is a formula with n ≥ 0 variables abstracted; ¯t is a list of n terms. Here, µ and ν denotes some fixed point. Least and greatest require induction and co-induction.
Examples of fixed points Natural numbers: terms over 0 for zero and s for successor. nat 0 :- true. nat (s X ) :- nat X . leq 0 Y
:- true.
leq (s X ) (s Y ) :- leq X Y . The logic programs and above can be coded as fixed points. nat = µ(λpλx.(x = 0) ∨+ ∃y .(s y ) = x ∧+ p y ) leq = µ(λqλxλy .(x = 0) ∨+ ∃u∃v .(s u) = x ∧+ (s v ) = y ∧+ q u v ). Horn clauses can be made into fixed point specifications (mutual recursions requires standard encoding techniques).
The engineering of proof systems Consider proving the down-arrow focused sequent ` Θ ⇓ (leq m n ∧+ N1 ) ∨+ (leq n m ∧+ N2 ), where m, n are natural numbers and N1 , N2 are negative formulas. There are exactly two possible macro rules: ` Θ ⇓ N1 for m ≤ n ` Θ ⇓ (leq m n ∧+ N1 ) ∨+ (leq n m ∧+ N2 ) ` Θ ⇓ N2 for n ≤ m ` Θ ⇓ (leq m n ∧+ N1 ) ∨+ (leq n m ∧+ N2 ) A macro inference rule can contain an entire Prolog-style computation.
The engineering of proof systems (cont) Consider proofs involving simulation. A
A
sim P Q ≡ ∀P 0 ∀A[ P −→ P 0 ⊃ ∃Q 0 [Q −→ Q 0 ∧ sim P 0 Q 0 ]]. A
Typically, P −→ P 0 is given as a table or as a recursion on syntax (e.g., CCS): hence, as a fixed point. The body of this expression is exactly two “macro connectives”. A
• ∀P 0 ∀A[P −→ P 0 ⊃ · ] is a negative “macro connective”. There are no choices in expanding this macro rule. A • ∃Q 0 [Q −→ Q 0 ∧+ · ] is a positive “macro connective”. There can be choices for continuation Q 0 . These macro-rules now match exactly the sense of simulation from model theory / concurrency theory.
Conclusion • Manifesto: A theorem is not proved until it is shared and checked. • Focused proof systems provide a rich method for describing “synthetic connectives” and their introduction rules. • A proof certificate provides I
a preamble that defines synthetic inference rules using the vocabulary of focused proofs and
I
a payload that describes proof evidence using the synthetic rules.
Closely related project: Deduction modulo of Dowek, Hardin, Kirchner and the Dedukti proof checker of Boespflug.
Certified Programs and Proofs, 7 December 2011
Can we standardize, communicate, and trust formal proofs?
First, we narrow our topic Proofs are documents that are used to communicate trust within a community of agents (humans and machines). Proof certificates are documents that should denote proofs. Our focus today: 1. Publishing and checking formal proofs by computer agents 2. Separate proofs from provenance. 3. Flexible certificate vs simple checkers Not our focus today: 1. Humans and proofs: learning and interacting with proofs 2. Do I have the right theorem? 3. etc.
Outline
Four desiderata for proof certificates
More specifics about logic, computation, and proof
The technical bits: Focused proof systems
Outline
Four desiderata for proof certificates
More specifics about logic, computation, and proof
The technical bits: Focused proof systems
D1: A simple checker can, in principle, check if a proof certificate denotes a proof. The de Bruijn’s principle: provers should output proofs that can be checked by simple checkers. Here “simple” might mean that the checker can be independently validated (eg, by hand).
D1: A simple checker can, in principle, check if a proof certificate denotes a proof. The de Bruijn’s principle: provers should output proofs that can be checked by simple checkers. Here “simple” might mean that the checker can be independently validated (eg, by hand). “Everything should be made as simple as possible, but not one bit simpler.” -A. Einstein Ultimately, I will argue that proof certificates will be programs and a checker will be an interpreter for such programs.
D2: The proof certificate format supports a broad spectrum of proof systems.
One should not need to radically transform accumulated proof evidence in order to output a proof certificate. Clearly, there is a tension between D1 and D2. Consider the following additional consequences of these two desiderata.
Marketplaces for proofs The ACME company needs a formal proof for its next generation of controllers for airplanes, electric cars, medical equipment, etc. ACME submits to the “proofs” marketplace a proposed theorem as a proof certificate with a “hole” for its actual proof. The contract: You get paid if you can fill the hole in such a way that ACME can check it.
This marketplace would be open: anyone using any combination of deduction engines would be able to compete and/or cooperate.
Marketplaces for proofs The ACME company needs a formal proof for its next generation of controllers for airplanes, electric cars, medical equipment, etc. ACME submits to the “proofs” marketplace a proposed theorem as a proof certificate with a “hole” for its actual proof. The contract: You get paid if you can fill the hole in such a way that ACME can check it.
This marketplace would be open: anyone using any combination of deduction engines would be able to compete and/or cooperate. Both partial proofs or counter-examples should also have economic value and be included in a general setting of “proof certificates”.
Libraries of proofs Proof certificates can be archived, searched, and retrieved. Additionally, one might be able to browse, apply, and transform them. One might trust the authority behind the library. Libraries might invest in significant computing power, thus expanding the proof certificates that they can check. A library has strong motivations to be careful: accepting a non-proof puts their entire library and accumulative trust at risk.
D3: A proof certificate is intended to denote a proof in the sense of structural proof theory. Structural proof theory is a mature field that deals with deep aspects of proofs and their properties.
For example: given certificates for ∀x(A(x) ⊃ ∃y B(x, y )) and A(10), can we extract from them a t such that B(10, t) holds? Such proofs can also be considered immortal.
D4: A proof certificate can simply leave out details of the intended proof. Formal proofs are often huge. All means to reduce their size need to be available. • Introductions of abstractions and lemma. • Separate computation from deduction and leave computation traces out of the certificate. • Allow trade-offs between proof size and proof reconstruction: (bounded) proof search maybe need to fill in holes. This desideratum leads to strong demands on the nature of proof certificates. • What bound on search is sensible? • How to ensure that such search is sensibly directed?
Outline
Four desiderata for proof certificates
More specifics about logic, computation, and proof
The technical bits: Focused proof systems
Which logic? First-order or higher-order?
Which logic? First-order or higher-order? Both! Higher-order (`a la Church 1940) seems a good choice since it includes propositional and first-order.
Which logic? First-order or higher-order? Both! Higher-order (`a la Church 1940) seems a good choice since it includes propositional and first-order. Classical or intuitionistic logic?
Which logic? First-order or higher-order? Both! Higher-order (`a la Church 1940) seems a good choice since it includes propositional and first-order. Classical or intuitionistic logic? Both! Imagine that these two logics fit together in one larger logic. Following Gentzen (LK/LJ), Girard (LU) and, recently, Liang & M.
Which logic? First-order or higher-order? Both! Higher-order (`a la Church 1940) seems a good choice since it includes propositional and first-order. Classical or intuitionistic logic? Both! Imagine that these two logics fit together in one larger logic. Following Gentzen (LK/LJ), Girard (LU) and, recently, Liang & M. Modal, temporal, spatial? I leave these out for now. There is likely to always be a frontier that does not fit. (However, the syntax of modal operators fits well with Church’s logic and their semantics can similarly be encoded.)
Which computation paradigm? Proof certificates need to be performed and gaps must be reconstructed Checking can be computationally expensive. Computation should be broad spectrum as well: should be • non-deterministic, since determinism is a special case; • concurrent, since sequential is a special case; and • relational, since functions are a special case. Logic programming might be a good candidate.
Which proof system?
There are numerous, well studied proof systems: natural deduction, sequent, tableaux, resolution, etc. Many others are clearly proof-like: tables (in model checking), winning strategies (in game playing), etc. Other: certificates for primality, etc. We wish to capture all of these proof objects. Of course, handling so many proof formats might make for a terribly complex proof checker.
Atoms and molecules of inference How can we address all of these demands on certificates? There are atoms of inference. • Gentzen’s sequent calculus first provided these: introduction and structural rules. • Girard’s linear logic refined our understanding of these further. • To account for first-order structure, we also need fixed points and equality. We can define molecules of inference. • There are “rules of chemistry” for assembling atoms of inference into molecules of inference (“synthetic inference rules”).
Satisfying the desiderata D1: Simple checkers. Only the atoms of inference and the rules of chemistry (both small and closed sets) need to be implemented in the checker. D2: Certificates supports a wide range of proof systems. The molecules of inference can be engineered into a wide range of existing inference rules. D3: Certificates are based on proof theory. Immediate by design. D4: Details can be elided. Proof search in the space of atoms can match proof search in the space of molecules. (Don’t invent new molecules in the checker!)
Outline
Four desiderata for proof certificates
More specifics about logic, computation, and proof
The technical bits: Focused proof systems
Focused proof systems Consider a one-side sequent calculus system for classical logic. Two invertible introduction inference rules: ` ∆, B1 , B2 ` ∆, B1 ∨ B2
` ∆, B[y /x] ` ∆, ∀xB
The inference rules for their de Morgan duals (not invertible): ` ∆, B[t/x] ` ∆, ∃xB
` ∆1 , B1 ` ∆2 , B2 ` ∆1 , ∆2 , B1 ∧ B2
Focused proofs are built in two phases: • the “up arrow” ⇑ phase where one only has invertible rules • the “down arrow” ⇓ phase where one has (not-necessarily) invertible rules
LKF : (multi)focused proof systems for classical logic
` Θ ⇑ Γ, t −
` Θ ⇓ t+
` Θ ⇑ Γ, A ` Θ ⇑ Γ, B ` Θ ⇑ Γ, A ∧− B
`Θ⇑Γ ` Θ ⇑ Γ, f −
` Θ ⇓ Γ1 , B1 ` Θ ⇓ Γ2 , B2 ` Θ ⇓ Γ1 , Γ2 , B1 ∧+ B2
Init ` ¬Pa , Θ ⇓ Pa
Store ` Θ, C ⇑ Γ ` Θ ⇑ Γ, C
Release `Θ⇑N `Θ⇓N
` Θ ⇑ Γ, A, B ` Θ ⇑ Γ, A ∨− B
` Θ ⇓ Γ, Bi ` Θ ⇓ Γ, B1 ∨+ B2 Decide ` P, Θ ⇓ P ` P, Θ ⇑ ·
P multiset of positives; N multiset of negatives; Pa positive literal; C positive formula or negative literal
Results about LKF ˆ result from B by Let B be a propositional logic formula and let B placing + or − on t, f , ∧, and ∨ (there are exponentially many such placements). ˆ has an LKF proof. Theorem. B is a tautology if and only if B [Liang & M, TCS 2009] Thus the different polarizations do not change provability but can radically change the proofs. Observe: • Negative (non-atomic) formulas are treated linearly (never weakened nor contracted). • Only positive formulas are contracted (in the Decide rule).
An example Assume that Θ contains a ∧+ b ∧+ ¬c. Atoms are assumed to be positive. ` Θ, ¬c ⇑ · ` Θ ⇑ ¬c Init Init Release `Θ⇓a `Θ⇓b ` Θ ⇓ ¬c and ` Θ ⇓ a ∧+ b ∧+ ¬c Decide `Θ⇑· This derivation is possible iff Θ is of the form ¬a, ¬b, Θ0 . Thus, the “macro-rule” is ` ¬a, ¬b, ¬c, Θ0 ⇑ · ` ¬a, ¬b, Θ0 ⇑ ·
A certificates for propositional logic: compute CNF Use ∧− and ∨− . Their introduction rules are invertible. The bottom-most “macro-rule” is huge, having all the clauses in the conjunctive normal form of B as premises.
...
Init ` L1 , . . . , Ln ⇓ Li Decide ` L1 , . . . , Ln ⇑ · .. . `·⇑B
...
The proof certificate can specify the complementary literals for each premise or it can ask the checker to search for them. Such proof certificates are tiny but require exponential time for checking.
Positive connectives allow for inserting information Let B have several alternations of conjunctions and disjunctions. The tautology C = (p ∨+ B) ∨+ ¬p has a huge proof using invertible connectives. The “clever proof” uses positive connectives. ` C , ¬p ⇓ p ∗ ` C , ¬p ⇓ C Decide ` C , ¬p ⇑ · ` C ⇑ ¬p ` C ⇓ ¬p ∗ `C ⇓C Decide `C ⇑· `·⇑C Clever choices ∗ are injected twice. The subformula B is avoided.
First-order terms and their structure ` Θ ⇓ Γ, A[t/x] ` Θ ⇓ Γ, ∃x A
` Θ ⇑ Γ, A[y /x] § ` Θ ⇑ Γ, ∀x A § y is not free in the lower sequent `Θ⇓t =t
` Θ ⇑ Γ, s 6= t
‡ s and t are not unifiable. ` Θ ⇑ Γ, B(νB)¯t ` Θ ⇑ Γ, νB ¯t
‡
` Θσ ⇑ Γσ † ` Θ ⇑ Γ, s 6= t
† s and t have mgu σ. ` Θ ⇓ Γ, B(µB)¯t ` Θ ⇓ Γ, µB ¯t
B is a formula with n ≥ 0 variables abstracted; ¯t is a list of n terms. Here, µ and ν denotes some fixed point. Least and greatest require induction and co-induction.
Examples of fixed points Natural numbers: terms over 0 for zero and s for successor. nat 0 :- true. nat (s X ) :- nat X . leq 0 Y
:- true.
leq (s X ) (s Y ) :- leq X Y . The logic programs and above can be coded as fixed points. nat = µ(λpλx.(x = 0) ∨+ ∃y .(s y ) = x ∧+ p y ) leq = µ(λqλxλy .(x = 0) ∨+ ∃u∃v .(s u) = x ∧+ (s v ) = y ∧+ q u v ). Horn clauses can be made into fixed point specifications (mutual recursions requires standard encoding techniques).
The engineering of proof systems Consider proving the down-arrow focused sequent ` Θ ⇓ (leq m n ∧+ N1 ) ∨+ (leq n m ∧+ N2 ), where m, n are natural numbers and N1 , N2 are negative formulas. There are exactly two possible macro rules: ` Θ ⇓ N1 for m ≤ n ` Θ ⇓ (leq m n ∧+ N1 ) ∨+ (leq n m ∧+ N2 ) ` Θ ⇓ N2 for n ≤ m ` Θ ⇓ (leq m n ∧+ N1 ) ∨+ (leq n m ∧+ N2 ) A macro inference rule can contain an entire Prolog-style computation.
The engineering of proof systems (cont) Consider proofs involving simulation. A
A
sim P Q ≡ ∀P 0 ∀A[ P −→ P 0 ⊃ ∃Q 0 [Q −→ Q 0 ∧ sim P 0 Q 0 ]]. A
Typically, P −→ P 0 is given as a table or as a recursion on syntax (e.g., CCS): hence, as a fixed point. The body of this expression is exactly two “macro connectives”. A
• ∀P 0 ∀A[P −→ P 0 ⊃ · ] is a negative “macro connective”. There are no choices in expanding this macro rule. A • ∃Q 0 [Q −→ Q 0 ∧+ · ] is a positive “macro connective”. There can be choices for continuation Q 0 . These macro-rules now match exactly the sense of simulation from model theory / concurrency theory.
Conclusion • Manifesto: A theorem is not proved until it is shared and checked. • Focused proof systems provide a rich method for describing “synthetic connectives” and their introduction rules. • A proof certificate provides I
a preamble that defines synthetic inference rules using the vocabulary of focused proofs and
I
a payload that describes proof evidence using the synthetic rules.
Closely related project: Deduction modulo of Dowek, Hardin, Kirchner and the Dedukti proof checker of Boespflug.
